[3475] in WWW Security List Archive
Re: NS Security Prompt Not for Novices
daemon@ATHENA.MIT.EDU (Dave Kinchlea)
Wed Nov 6 17:14:53 1996
Date: Wed, 6 Nov 1996 11:50:19 -0800 (PST)
From: Dave Kinchlea <security@kinch.ark.com>
To: "David W. Morris" <dwm@xpasc.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.GSO.3.95.961105191545.7737A-100000@shell1.aimnet.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 5 Nov 1996, David W. Morris wrote:
[...]
> I just encountered the following prompt
> when accessing a web page:
>
>
> >Warning: There is a possible security hazzard here.
>
> Netscape will launch the application c:\windows\sndrec32.exe in
> order to view a document.
>
> You should be aware that any file you download from the network
> could contain malicious program code (applications) or scripting
> language (documents). Simply viewing the contents of these files
> could be dangerous.
>
> Take precautions: donot download anything from a site that you
> do not trust.
>
> Are you sure you want to continue?
>
> ++
> ++ don't show this for c:\window\sndrec32.exe again.
> Note: To show this alert again, edit your NETSCAPE.INI file.
>
>
>
> ( the ++/++ above is a check box).
>
> After some effort, I guessed that the file was the *.wav file
> embeded in the html file. How a basic user could make a rational
> decision is problematic.
>
> Dave Morris
>
I am not sure what your point is here, nor do I know what you mean by a
`basic user'. This all seems pretty clear to me: Netscape is warning you
that a particular application (which they name with a full file spec) is
to be launched IF AND ONLY IF you allow it. It provides a way to not be
continualy annoyed with this notice, on an individual application basis if
that is your preference. Presumedly, any user would be happy to have this
information and I have trouble believing that *anyone* would not know what
Netscape was asking.
I DO believe that many would not understand how `malicious code ....' will
interact with their computer, but I think it is reasonable for people to
key on the well known word "malicious". Only a fool would blindly say yes
to this if they didn't understand what was happening (and yes, there are a
lot of fools but how is that Netscape's problem?).
While the 8.3 limits on names sometimes makes it difficult to know what
the Application is, I don't believe there is too much difficulty in
determining that this is the Sound Recorder (32 bit version) but that is
neither here nor there.
What exactly is your complaint, and how would you do things differently?
cheers, kinch
